GHSA-r9hx-vwmv-q579

Source

https://github.com/advisories/GHSA-r9hx-vwmv-q579

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-r9hx-vwmv-q579/GHSA-r9hx-vwmv-q579.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r9hx-vwmv-q579

Aliases

Published

2022-12-23T00:30:23Z

Modified

2024-11-19T19:46:32.540446Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N CVSS Calculator

Summary

pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)

Details

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

Database specific

{
    "nvd_published_at": "2022-12-23T00:15:00Z",
    "cwe_ids": [
        "CWE-1333"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-27T14:51:05Z"
}

References

Affected packages

PyPI / setuptools

Package

Name: setuptools; View open source insights on deps.dev
Purl: pkg:pypi/setuptools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

65.5.1

Affected versions

0.*

0.6b1

0.6b2

0.6b3

0.6b4

0.6c1

0.6c2

0.6c3

0.6c4

0.6c5

0.6c6

0.6c7

0.6c8

0.6c9

0.6c10

0.6c11

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8

0.8

0.9

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

1.*

1.0

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.2

1.3

1.3.1

1.3.2

1.4

1.4.1

1.4.2

2.*

2.0

2.0.1

2.0.2

2.1

2.1.1

2.1.2

2.2

3.*

3.0

3.0.1

3.0.2

3.1

3.2

3.3

3.4

3.4.1

3.4.2

3.4.3

3.4.4

3.5

3.5.1

3.5.2

3.6

3.7

3.7.1

3.8

3.8.1

4.*

4.0

4.0.1

5.*

5.0

5.0.1

5.0.2

5.1

5.2

5.3

5.4

5.4.1

5.4.2

5.5

5.5.1

5.6

5.7

5.8

6.*

6.0.1

6.0.2

6.1

7.*

7.0

8.*

8.0

8.0.1

8.0.2

8.0.3

8.0.4

8.1

8.2

8.2.1

8.3

9.*

9.0

9.0.1

9.1

10.*

10.0

10.0.1

10.1

10.2

10.2.1

11.*

11.0

11.1

11.2

11.3

11.3.1

12.*

12.0

12.0.1

12.0.2

12.0.3

12.0.4

12.0.5

12.1

12.2

12.3

12.4

13.*

13.0

13.0.1

13.0.2

14.*

14.0

14.1

14.1.1

14.2

14.3

14.3.1

15.*

15.0

15.1

15.2

16.*

16.0

17.*

17.0

17.1

17.1.1

18.*

18.0

18.0.1

18.1

18.2

18.3

18.3.1

18.3.2

18.4

18.5

18.6

18.6.1

18.7

18.7.1

18.8

18.8.1

19.*

19.0

19.1

19.1.1

19.2

19.3

19.4

19.4.1

19.5

19.6

19.6.1

19.6.2

19.7

20.*

20.0

20.1

20.1.1

20.2.2

20.3

20.3.1

20.4

20.6.6

20.6.7

20.6.8

20.7.0

20.8.0

20.8.1

20.9.0

20.10.1

21.*

21.0.0

21.1.0

21.2.0

21.2.1

21.2.2

22.*

22.0.0

22.0.1

22.0.2

22.0.4

22.0.5

23.*

23.0.0

23.1.0

23.2.0

23.2.1

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.1.0

24.1.1

24.2.0

24.2.1

24.3.0

24.3.1

25.*

25.0.0

25.0.1

25.0.2

25.1.0

25.1.1

25.1.2

25.1.3

25.1.4

25.1.5

25.1.6

25.2.0

25.3.0

25.4.0

26.*

26.0.0

26.1.0

26.1.1

27.*

27.0.0

27.1.0

27.1.2

27.2.0

27.3.0

27.3.1

28.*

28.0.0

28.1.0

28.2.0

28.3.0

28.4.0

28.5.0

28.6.0

28.6.1

28.7.0

28.7.1

28.8.0

28.8.1

29.*

29.0.0

29.0.1

30.*

30.0.0

30.1.0

30.2.0

30.2.1

30.3.0

30.4.0

31.*

31.0.0

31.0.1

32.*

32.0.0

32.1.0

32.1.1

32.1.2

32.1.3

32.2.0

32.3.0

32.3.1

33.*

33.1.0

33.1.1

34.*

34.0.0

34.0.1

34.0.2

34.0.3

34.1.0

34.1.1

34.2.0

34.3.0

34.3.1

34.3.2

34.3.3

34.4.0

34.4.1

35.*

35.0.0

35.0.1

35.0.2

36.*

36.0.1

36.1.0

36.1.1

36.2.0

36.2.1

36.2.2

36.2.3

36.2.4

36.2.5

36.2.6

36.2.7

36.3.0

36.4.0

36.5.0

36.6.0

36.6.1

36.7.0

36.7.1

36.7.2

36.8.0

37.*

37.0.0

38.*

38.0.0

38.1.0

38.2.0

38.2.1

38.2.3

38.2.4

38.2.5

38.3.0

38.4.0

38.4.1

38.5.0

38.5.1

38.5.2

38.6.0

38.6.1

38.7.0

39.*

39.0.0

39.0.1

39.1.0

39.2.0

40.*

40.0.0

40.1.0

40.1.1

40.2.0

40.3.0

40.4.0

40.4.1

40.4.2

40.4.3

40.5.0

40.6.0

40.6.1

40.6.2

40.6.3

40.7.0

40.7.1

40.7.2

40.7.3

40.8.0

40.9.0

41.*

41.0.0

41.0.1

41.1.0

41.2.0

41.3.0

41.4.0

41.5.0

41.5.1

41.6.0

42.*

42.0.0

42.0.1

42.0.2

43.*

43.0.0

44.*

44.0.0

44.1.0

44.1.1

45.*

45.0.0

45.1.0

45.2.0

45.3.0

46.*

46.0.0

46.1.0

46.1.1

46.1.2

46.1.3

46.2.0

46.3.0

46.3.1

46.4.0

47.*

47.0.0

47.1.0

47.1.1

47.2.0

47.3.0

47.3.1

47.3.2

48.*

48.0.0

49.*

49.0.0

49.0.1

49.1.0

49.1.1

49.1.2

49.1.3

49.2.0

49.2.1

49.3.0

49.3.1

49.3.2

49.4.0

49.5.0

49.6.0

50.*

50.0.0

50.0.1

50.0.2

50.0.3

50.1.0

50.2.0

50.3.0

50.3.1

50.3.2

51.*

51.0.0

51.1.0

51.1.0.post20201221

51.1.1

51.1.2

51.2.0

51.3.0

51.3.1

51.3.2

51.3.3

52.*

52.0.0

53.*

53.0.0

53.1.0

54.*

54.0.0

54.1.0

54.1.1

54.1.2

54.1.3

54.2.0

56.*

56.0.0

56.1.0

56.2.0

57.*

57.0.0

57.1.0

57.2.0

57.3.0

57.4.0

57.5.0

58.*

58.0.0

58.0.1

58.0.2

58.0.3

58.0.4

58.1.0

58.2.0

58.3.0

58.4.0

58.5.0

58.5.1

58.5.2

58.5.3

59.*

59.0.1

59.1.0

59.1.1

59.2.0

59.3.0

59.4.0

59.5.0

59.6.0

59.7.0

59.8.0

60.*

60.0.0

60.0.1

60.0.2

60.0.3

60.0.4

60.0.5

60.1.0

60.1.1

60.2.0

60.3.0

60.3.1

60.4.0

60.5.0

60.6.0

60.7.0

60.7.1

60.8.0

60.8.1

60.8.2

60.9.0

60.9.1

60.9.2

60.9.3

60.10.0

61.*

61.0.0

61.1.0

61.1.1

61.2.0

61.3.0

61.3.1

62.*

62.0.0

62.1.0

62.2.0

62.3.0

62.3.1

62.3.2

62.3.3

62.3.4

62.4.0

62.5.0

62.6.0

63.*

63.0.0b1

63.0.0

63.1.0

63.2.0

63.3.0

63.4.0

63.4.1

63.4.2

63.4.3

64.*

64.0.0

64.0.1

64.0.2

64.0.3

65.*

65.0.0

65.0.1

65.0.2

65.1.0

65.1.1

65.2.0

65.3.0

65.4.0

65.4.1

65.5.0